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Ms J Birch, Headteacher 
Moulton School 

School Lane 

Moulton 

Cheshire 

CW9 8PD 


By post and email to: head@moulton.cheshire.sch.uk 
9 January 2020 


Dear Ms Birch 
Case Reference Number RFA0832748 


I write to inform you that I have now completed my investigation into the 
inappropriate disclosure of the personal data of children. 


In summary, it is my understanding that Moulton School failed to act upon 
information it had requested from parents about consent for any images of 
children to be shared. Images of two pupils whose parents had refused consent 
for their children’s images to be shared via any media were included in a class 
photo sent to the local newspaper and published with Moulton School’s name 
both online and in print. 


When I wrote to you on 1 November 2019, I set out details of the 
Commissioner’s powers. Based on my assessment and the information you have 
provided, I have decided to issue Moulton School with a reprimand in accordance 
with Article 58 (2)(b) of the General Data Protection Regulation (the GDPR). The 
specific terms of the reprimand can be founds towards the end of this letter. 


Our consideration of this case 


I have investigated whether Moulton School has complied with the following 
requirements of the GDPR: 


e Article 5 (1)(a) stipulates that personal data shall be “processed lawfully, 
fairly and in a transparent manner in relation to the data subject 
(‘lawfulness, fairness and transparency’)”; 
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Article 5 (1)(f) stipulates that personal data shall be “processed in a 
manner that ensures appropriate security of the personal data, including 
protection against unauthorised or unlawful processing and against 
accidental loss, destruction or damage, using appropriate technical and 
organisational measures (‘integrity and confidentiality’)”; 


Article 5 (2) which states that “the controller shall be responsible for, and 
able to demonstrate compliance with, paragraph one [of Article 5] 
(‘accountability’)”; 


Article 33 which states that “the controller shall without undue delay and, 
where feasible, not later than 72 hours after having become aware of it, 
notify the personal data breach to the [ICO], unless the personal data 
breach is unlikely to result in a risk to the rights and freedoms of natural 


persons.” 


In response to our enquiries, Moulton School has provided the ICO with the 
following key information: 


It has introduced a system to double-check the parental permissions in 
place before pupils’ images are allowed to appear in the media. 


The Headteacher and Senior Leadership Team assessed that this personal 
data breach did not need to be reported to the ICO. 


Moulton School’s external Data Protection Officer (DPO) was not informed 
of this incident until three months afterwards following the submission of a 
complain to the Chair of Governors by the pupils’ parents. The DPO advised 
that any data breaches should be reported to him within 72 hours. 


The DPO also recommended that Moulton School undertake a data audit, 
which has not yet been completed. 


Taking the above into account, we do not believe Moulton School has complied 
with the requirements outlined by the GDPR. More specifically, we consider 
Moulton School to have infringed Article 5 (2) for the following reasons: 


Moulton School failed to implement an appropriate procedure for the 
handling of pupils’ images. 


The breach was not reported to the DPO at the time. 
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Moulton School failed to adequately consider reporting this incident to the 
ICO as a personal data breach. 


We also consider Moulton School to have infringed Article 5 (1)(a) for the 
following reason: 


The processing of the pupils’ images was not conducted in a transparent 
manner and occurred in the absence of a lawful basis as required by Article 


6. 


We also consider Moulton School to have infringed Article 5 (1)(f) for the 
following reason: 


The system in place at the time of the breach relied on a single member of 
staff remembering to check a spreadsheet of parental permissions. 
Details of reprimand 


The reprimand has been issued in respect of the following processing operations 
that have infringed the GDPR: 


Processing of personal data in breach of the principles and guarantees set 
out in Article 5 (1)(a). 


Processing of personal data in breach of the principles and guarantees set 
out in Article 5 (1)(f). 
Failing to implement organisational measures across the organisation in 


breach of the obligation set out in Article 5 (2), as Moulton School cannot 
demonstrate accountability with the principles. 


Further action required 


Due to this, the Commissioner considers that Moulton School needs to take 
certain steps to improve compliance with the GDPR. We therefore strongly 
recommend your organisation implements the following measures: 


Complete the data audit as recommended by your DPO and implement its 
recommendations. 
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e All policies and procedures which are already in place need to be enforced 
and reiterated to staff on a regular basis, such as annually or as soon as 
changes are made. All staff should also sign a disclosure to confirm that 
they have read and understood the policies/procedures. 


e Keep accurate and up to date records of staff training, policy updates and 
the internal communications that bring these to the attention of staff. This 
will create an audit trail to evidence compliance with the GDPR. 


e Promote awareness of appropriate data sharing by staff on a regular basis, 
such as staff meetings, briefings and refresher training. This should include 
sufficient guidance on the practical application of procedures to prevent 
inappropriate disclosures. 


Further information about compliance with the GDPR which is relevant to this 
case can be found at the following links: 


https://ico.org.uk/for-organisations/quide-to-data-protection/guide-to-the- 
general-data-protection-regulation-gdpr/accountability-and-governance/ 


https://ico.org.uk/for-organisations/quide-to-data-protection/quide-to-the- 


general-data-protection-requlation-qdpr/security/ 


We would ask that the above changes be implemented as soon as possible, and 
in any event by 9 February 2020. We also request that you contact us on 9 
July 2020 to update us on the changes you have implemented and any other 
measures you have implemented to improve your compliance with the GDPR. 


Whilst the above measures are suggestions, we would point out that if further 
information relating to this subject comes to light, or if further incidents or 
complaints are reported to us, we will revisit this matter and further formal 
regulatory action may be considered as a result. 


We actively publicise our regulatory activity and outcomes, as this helps us to 
achieve our strategic aims in upholding information rights in the public interest. 
We may publish information about cases reported to us, for example where we 
think there is an opportunity for other organisations to learn or where the case 
highlights a risk or a novel issue. 


Therefore, we may publish the outcome of this investigation to publicise our 
regulatory authority and new powers under the GDPR. We will publish 
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information in accordance with our Communicating Regulatory and Enforcement 
Activity Policy, which is available online at the following link: 


https://ico.org.uk/media/about-the-ico/policies-and- 
procedures/1890/ico enforcement communications policy.pdf 


Please let us know if you have any concerns about this. 


Thank you for your co-operation and assistance during the course of our 
investigation. We now consider the matter closed. 


Yours sincerely 


Lead Case Officer 
Information Commissioner’s Office 


You should be aware that the Information Commissioner often receives requests 
for copies of the letters we send and receive when dealing with casework. Not 
only are we obliged to deal with these in accordance with the access provisions of 
the data protection framework and Freedom of Information Act 2000, it is in the 
public interest that we are open and transparent and accountable for the work 


that we do. 


Please say whether you consider any of the information you send us is 
confidential. You should also say why so that we can take that into consideration. 
However, please note that we will only withhold information where there is good 


reason to do so. 


The ICO publishes the outcomes of its investigations. Examples of published data 
sets can be found at this link: https://ico.org.uk/about-the-ico/our- 
information/complaints-and-concerns-data-sets/ 


For information about what we do with personal data, see our privacy notice at 


www.ico.org.uk/privacy-notice 


